[no-relnotes] Use reusable workflows for CI

This commit introduces the following changes to the CI structure.
A more agressive split of the CI steps to reusable workflows. We now have the following high-level workflows:

- A set of basic checks that are run on PR and can be invoked from a workflow
- A full ci pipeline that is run on push to main and release-* branches (as well as PR copy bot branches)
- A standalone definition for CodeQL

Signed-off-by: Carlos Eduardo Arango Gutierrez <[email protected]>

Author: ArangoGutierrez

.github/workflows/basic-checks.yaml

@@ -0,0 +1,49 @@
+# Copyright 2025 NVIDIA CORPORATION
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+name: "basic checks"
+
+on:
+  workflow_call:
+    outputs:
+      version:
+        description: "The short SHA to use as a version string"
+        value: ${{ jobs.variables.outputs.version }}
+      golang_version:
+        description: "The golang version for this project"
+        value: ${{ jobs.variables.outputs.golang_version }}
+  pull_request:
+    types:
+      - opened
+      - synchronize
+    branches:
+      - main
+      - release-*
+
+jobs:
+  variables:
+    uses: ./.github/workflows/variables.yaml
+
+  golang:
+    needs:
+    - variables
+    uses: ./.github/workflows/golang.yaml
+    with:
+      golang_version: ${{ needs.variables.outputs.golang_version }}
+
+  code-scanning:
+    needs:
+    - variables
+    uses: ./.github/workflows/code_scanning.yaml
+    with:
+      golang_version: ${{ needs.variables.outputs.golang_version }}

.github/workflows/ci.yaml

@@ -0,0 +1,34 @@
+# Copyright 2025 NVIDIA CORPORATION
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+name: CI Pipeline
+
+on:
+  push:
+    branches:
+      - "pull-request/[0-9]+"
+      - main
+      - release-*
+  
+jobs:
+  basic:
+    uses: ./.github/workflows/basic-checks.yaml
+
+  image:
+    uses: ./.github/workflows/image.yaml
+    needs:
+    - basic
+    secrets: inherit
+    with:
+      version: ${{ needs.basic.outputs.version }}
+      build_multi_arch_images: ${{ github.ref_name == 'main' || startsWith(github.ref_name, 'release-') }}

.github/workflows/code_scanning.yaml

@@ -0,0 +1,53 @@
+# Copyright 2025 NVIDIA CORPORATION
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+name: "CodeQL"
+
+on:
+  workflow_call:
+    inputs:
+      golang_version:
+        required: true
+        type: string
+
+jobs:
+  analyze:
+    name: Analyze Go code with CodeQL
+    runs-on: ubuntu-latest
+    timeout-minutes: 360
+    permissions:
+      security-events: write
+      packages: read
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Install Go
+      uses: actions/setup-go@v5
+      with:
+        go-version: ${{ inputs.golang_version }}
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: go
+        build-mode: manual
+
+    - shell: bash
+      run: |
+        make build
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
+      with:
+        category: "/language:go"

.github/workflows/golang.yaml

@@ -15,72 +15,56 @@
 name: Golang
 
 on:
-  pull_request:
-    types:
-      - opened
-      - synchronize
-    branches:
-      - main
-      - release-*
-  push:
-    branches:
-      - main
-      - release-*
+  workflow_call:
+    inputs:
+      golang_version:
+        required: true
+        type: string
 
 jobs:
   check:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
       name: Checkout code
-    - name: Get Golang version
-      id: vars
-      run: |
-        GOLANG_VERSION=$(./hack/golang-version.sh)
-        echo "GOLANG_VERSION=${GOLANG_VERSION##GOLANG_VERSION := }" >> $GITHUB_ENV
+
     - name: Install Go
       uses: actions/setup-go@v5
       with:
-        go-version: ${{ env.GOLANG_VERSION }}
+        go-version: ${{ inputs.golang_versions }}
+
     - name: Lint
       uses: golangci/golangci-lint-action@v6
       with:
         version: latest
         args: -v --timeout 5m
         skip-cache: true
+
     - name: Check golang modules
       run: |
         make check-modules
         make -C deployments/devel check-modules
+
   test:
     name: Unit test
     runs-on: ubuntu-latest
     steps:
-    - name: Checkout code
-      uses: actions/checkout@v4
-    - name: Get Golang version
-      id: vars
-      run: |
-        GOLANG_VERSION=$(./hack/golang-version.sh)
-        echo "GOLANG_VERSION=${GOLANG_VERSION##GOLANG_VERSION ?= }" >> $GITHUB_ENV
-    - name: Install Go
-      uses: actions/setup-go@v5
-      with:
-        go-version: ${{ env.GOLANG_VERSION }}
-    - run: make test
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ inputs.golang_version }}
+      - run: make test
+
   build:
     name: Build
     runs-on: ubuntu-latest
     steps:
-    - name: Checkout code
-      uses: actions/checkout@v4
-    - name: Get Golang version
-      id: vars
-      run: |
-        GOLANG_VERSION=$(./hack/golang-version.sh)
-        echo "GOLANG_VERSION=${GOLANG_VERSION##GOLANG_VERSION ?= }" >> $GITHUB_ENV
-    - name: Install Go
-      uses: actions/setup-go@v5
-      with:
-        go-version: ${{ env.GOLANG_VERSION }}
-    - run: make build
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ inputs.golang_version }}
+      - run: make build

.github/workflows/image.yaml

@@ -16,36 +16,25 @@
 name: Image
 
 on:
-  push:
-    branches:
-      - "pull-request/[0-9]+"
-      - main
-      - release-*
+  workflow_call:
+    inputs:
+      version:
+        required: true
+        type: string
+      build_multi_arch_images:
+        required: true
+        type: string
 
 jobs:
   build:
     runs-on: linux-amd64-cpu4
     steps:
       - uses: actions/checkout@v4
         name: Check out code
-      - name: Calculate build vars
-        id: vars
-        run: |
-          echo "COMMIT_SHORT_SHA=${GITHUB_SHA:0:8}" >> $GITHUB_ENV
-          echo "LOWERCASE_REPO_OWNER=$(echo "${GITHUB_REPOSITORY_OWNER}" | awk '{print tolower($0)}')" >> $GITHUB_ENV
-
-          GENERATE_ARTIFACTS="false"
-          if [[ "${{ github.actor }}" == "dependabot[bot]" ]]; then
-            GENERATE_ARTIFACTS="false"
-          elif [[ "${{ github.event_name }}" == "pull_request" && "${{ github.event.pull_request.head.repo.full_name }}" == "${{ github.repository }}" ]]; then
-            GENERATE_ARTIFACTS="true"
-          elif [[ "${{ github.event_name }}" == "push" ]]; then
-            GENERATE_ARTIFACTS="true"
-          fi
-          echo "PUSH_ON_BUILD=${GENERATE_ARTIFACTS}" >> $GITHUB_ENV
-          echo "BUILD_MULTI_ARCH_IMAGES=${GENERATE_ARTIFACTS}" >> $GITHUB_ENV
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
+        with:
+          image: tonistiigi/binfmt:master
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: Login to GitHub Container Registry
@@ -56,8 +45,10 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build image
         env:
-          IMAGE_NAME: ghcr.io/${LOWERCASE_REPO_OWNER}/k8s-dra-driver
-          VERSION: ${COMMIT_SHORT_SHA}
+          IMAGE_NAME: ghcr.io/nvidia/k8s-dra-driver
+          VERSION: ${{ inputs.version }}
+          PUSH_ON_BUILD: true
+          BUILD_MULTI_ARCH_IMAGES: ${{ inputs.build_multi_arch_images }}
         run: |
           echo "${VERSION}"
           make -f deployments/container/Makefile build

.github/workflows/variables.yaml

@@ -0,0 +1,44 @@
+# Copyright (c) 2025, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+on:
+  workflow_call:
+    outputs:
+      version:
+        description: "The short SHA to use as a version string"
+        value: ${{ jobs.variables.outputs.version }}
+      golang_version:
+        description: "The golang version for this project"
+        value: ${{ jobs.variables.outputs.golang_version }}
+
+jobs:
+  variables:
+    runs-on: ubuntu-latest
+    outputs:
+      version: ${{ steps.version.outputs.version }}
+      golang_version: ${{ steps.golang_version.outputs.golang_version }}
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v4
+
+    - name: Generate Commit Short SHA
+      id: version
+      run: echo "version=$(echo $GITHUB_SHA | cut -c1-8)" >> "$GITHUB_OUTPUT"
+
+    - name: Get Golang Version
+      id: golang_version
+      run: |
+        GOLANG_VERSION=$(./hack/golang-version.sh)
+        echo "Detected $GOLANG_VERSION"
+        echo "golang_version=${GOLANG_VERSION}" >> $GITHUB_OUTPUT

deployments/devel/Dockerfile

@@ -24,4 +24,3 @@ RUN make install-tools
 # We need to set the /work directory as a safe directory.
 # This allows git commands to run in the container.
 RUN git config --file=/.gitconfig --add safe.directory /work
-